Mobile malware has largely been limited to Trojans buried inside a malicious app targeting sensitive data stored on the phone such as email, contact information and SMS messages. A new proof-of-concept piece of malicious software, however, expands the scope of mobile malware and essentially turns an Android device into a surveillance tool, bringing a while new range of security and privacy implications into the equation.
Researchers from the Naval Surface Warfare Center and Indiana University’s School of Informatics and Computing introduced PlaceRaider late last week, putting a new spin on burglary and espionage while coining the term visual malware. PlaceRaider exploits innate weaknesses in Android to use the phone’s camera to surreptitiously take photographs, and send that data off to a command and control server where an attacker could build a 3D model of the victim’s environment.
“Remote burglars can thus download the physical space, study the environment carefully and steal virtual objects from the environment such as as financial documents, information on computer monitors and personally identifiable information,” the researchers wrote in a paper published last week.
The attack is relatively low-tech, requiring a user to install a malicious camera application infected with PlaceRaider. Once the data is uploaded to the C&C server, the attacker can use a variety of available open source viewer and modeling software to reconstruct the space in question. This research ups the ante on previous mobile attacks where attackers could remotely turn on a device’s microphone and listen on conversations or monitor the device.
With PlaceRaider, Robert Templeman, Zahid Rahman, David Crandall and Apu Kapadia have brought remote capabilities to such visual attacks; past attacks have required the attacker to be within visual range of the target.
“We show how PlaceRaider allows remote hackers to reconstruct rich three-dimensional models of the smartphone owner’s personal indoor spaces through completely opportunistic use of the camera,” they wrote.
A victim would have to download a malicious camera application to initiate the exploit. PlaceRaider not only collects images, but data from the device’s accelerometer, gyroscope and magnetometer, giving the attacker orientation readings for each piece of data. The app runs in the background on the device and can be configured to take pictures at particular intervals without the user’s knowledge. The researchers are counting on the user to give the application permission to access the camera, write to external storage and connect to the Internet, something most camera apps require, thus are not likely to raise any suspicion.
PlaceRaider also requires root access to change audio settings in order to mute the audible shutter sound cameras emit when photos are snapped. It also disables the photo preview feature on the device, another would-be hint to the user that the phone would be compromised. Again, most users, the researchers said, would disregard any permission warnings and grant the app what it wanted. As for access to sensor data from accelerometer, gyroscope and magnetometer? None are required by Android.
PlaceRaider also weeds out “redundant and uninformative images” before sending data to the C&C server by analyzing sensor data and applying a set of algorithms to determine which images are likely useful to an attacker. The analysis sets a threshold for images, and discards any that fall below in order to lessen the burden on the phone for transmission and power consumption.
Next the researchers used a toolkit known as Bundler that specializes in Structure from Motion (SfM) which is a process of building a 3D model from two-dimensional images, along with Patch-based Multiview Stereo software and a custom plug-in built for the open source MeshLab open source viewer to render the 3D model of the target’s environment.
The paper details a test scenario with 20 users equipped with an HTC Amaze device running Android 2.3.3. in a typical academic setting staged with objects such as personal checks, calendars, barcodes, computer screens and more. The phone was configured to take 1 megapixel photos every two seconds. Once the data was collected, 30 percent of the models scored better than average on a subjective scale established by the researchers, the paper said.
“These results suggest that faithful 3D models of a space can often be generated from opportunistically captured images,” the researchers wrote. “This is a somewhat surprising result because most Structure from Motion approaches were designed for use with deliberately composed images.”
This particular attack could have consequences beyond home burglaries, for example, and could put sensitive business and military installations at risk. The effects of the attack could worsen if future versions if the malware could identify pre-defined objects, for example.
Prevention, however, largely remains on the user especially when it comes to arbitrarily granting permissions that grant the malware access to the camera and audio settings. Android, and iOS, meanwhile require no permissions to access sensors on the phone which are used to reduce the image data transmitted to attacker.
The researchers suggest that the operating system could be adjusted to allow images only when a physical button is pressed, preventing surreptitious capture, the paper said.